By Tony Collins
In one of the most bizarre regressions since the FOI Act came into force in 2005, officials at Somerset County Council have redacted an audit report on SAP security weaknesses after the report was published in full.
The result is that anyone can see links to both reports. This is the report with parts of it redacted – blacked out. These are links to the full versions, which were published before the redactions – here and here.
The report was written by auditors Grant Thornton for Somerset County Council and highlights weaknesses in a database that is shared by the council, Taunton Deane Borough Council and Avon and Somerset Police. The database is part of a SAP system run by Southwest One on behalf of the three authorities.
Southwest One is an IBM-led enterprise that provides IT and other services to the three authorities under a controversial outsourcing contract. Dave Orr has written comprehensively about the deal.
Somerset published the Grant Thornton report in full. The media including Campaign4Change published some details of the IT security weaknesses mentioned in the Grant Thornton report. It appears that Avon and Somerset Police asked officials at Somerset to black out details of some of the weaknesses.
Somerset-based FOI campaigner Dave Orr says the blacking out is to save the blushes of the police.
Says Orr: “Much of the redaction in the Somerset County Council IT Controls report by Grant Thornton, especially generic and available password advice in Section 3, is not based in a genuine security threat, but looks to be rooted in a Police culture that seeks to avoid criticism and/or embarrassment.”
Somerset MP Ian Liddell-Grainger says:
“SAP was built on the cheap by IBM to serve three different customers – the County Council, Taunton Deane district council and the Police. It would have made sense to bung in a few partitions to stop council eyes taking a peek at police matters, or vice versa. But that would have cost money – perish the thought.”
In a related FOI on the Constabulary (currently under Internal Review), it was implied by the Constabulary that they had not sighted the SAP IT security weaknesses report for Somerset CC by external auditors Grant Thornton:
“Avon and Somerset Constabulary cannot comment on whether or not there are discrepancies as Grant Thornton has not discussed their review with this constabulary.”
That FOI is here:
Quite how Somerset CC knew what to redact (post the full publication in a public Audit Committee meeting) without any Avon and Somerset Constabulary or Police & Crime Commissioner’s Office contact or input remains a mystery?
I look forward to the discrepancies between the two conflicting SAP IT Security reports (glowing Police report in 2011/12 by SAP themselves versus Somerset CC “serious concerns” report in 2013 by Grant Thornton) being reconciled at the next Police Joint Audit Committee meeting in March.